While much of the world was out celebrating the new year of 2012, Robin Seggelmann was writing late-night code that would lead to the worst disaster in recent Internet history.
Heartbleed, a “catastrophic” security flaw in the OpenSSL cryptographic protocol that has affected two-thirds of the entire Internet’s communications, was committed at 10:59 pm on New Year’s Eve by Seggelmann, a 31-year-old Münster, Germany-based programmer.
That night, he made an error that has been compared to the misspelling of Mississippi, a careless but almost inevitable mistake that went undetected for over two years.
Photo source: Linuxtag
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he told the Sydney Morning Herald. “In one of the new features, unfortunately, I missed validating a variable containing a length.”
The man who reviewed his code, Dr. Stephen Henson, managed to miss the error completely as well.
By exploiting that small mistake, an attacker can steal a big slice of data from a computer’s main memory, which can contain usernames, passwords, and content that can endanger much of the Web’s most private content.
In the wake of Edward Snowden’s revelations of massive NSA Internet surveillance, questions quickly popped up, asking if Seggelmann had done this on purpose in an effort to build a backdoor into one of the Internet’s most important security tools.
Seggelman has denied deliberately inserting the flaw, saying it could “be explained pretty easily.” He does, however, know why it’s “tempting” to see the error as intentional. He calls Heartbleed “a simple programming error” that was “not intended at all”—but that it’s absolutely possible that intelligence agencies like the NSA have made use of the vulnerability since it was introduced.
How many intel agencies are looking at connections to Robin Seggelmann right now? https://t.co/BW1uDquZmN
— Matt Brooks (@cmatthewbrooks) April 10, 2014
“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Seggelmann said.
A year after writing the catastrophic bug, Seggelmann would finish up his PhD thesis titled “Strategies to Secure End-to-End Communication” at the University of Duisburg-Essen.
The OpenSSL team, including Seggelmann and Henson, is small and receives essentially no pay despite maintaining one of the world’s most popular and important pieces of open-source software. With this notable exception, the team has a stellar security record, as OpenSSL has been expanded to support the massive count of over 80 platforms.
“Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” Edward Felten, a computer security expert at Princeton University, told the New York Times.
OpenSSL is open-source software, meaning that anyone can look at the code under the program’s hood. In theory, that also means that more eyeballs can check the code for errors.
It didn’t work that way this time, of course, in no small part because a tiny volunteer team of 13 individuals is maintaining one of the Internet’s most important technologies. Like many key open-source projects, OpenSSL needs more help in the form of eyeballs and even money.
“Maybe in the midst of patching their servers, some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding,” Matthew Green, a cryptographer and research professor at Johns Hopkins University, recently wrote, “so they can keep doing their job.”
Illustration by Fernando Alfonso III